1. Field of the Invention
The present invention relates to a system which automatizes construction, maintenance, updating and destruction procedures of a virtual private organization that delivers services and information on the Internet to enforce a policy for a management entity which is an abstraction of service, data, software and hardware forming the virtual private organization and, more particular, a system of enforcing a policy for a virtual private organization which system enables automation of a maintenance procedure by failure recovery and an updating procedure at the time of scale expansion, and a method therefore.
2. Description of the Related Art
Conventional systems of enforcing a policy for a management entity which is obtained by abstracting service, data, software and hardware forming a virtual private organization is disclosed in, for example, Japanese Patent Laying-Open (Kokai) No. 2001-43162 (Literature 1), Japanese Patent Laying-Open (Kokai) No. 2001-168913 (Literature 2) and Japanese Translation of PCT International Application No. 2003-502757 (Literature 3).
In the following, one example of these conventional policy enforcing systems will be described with reference to FIG. 17.
With reference to FIG. 17, a conventional policy enforcing system is formed of three data bases, a policy data base 1700, a user information data base 1701 and a management information data base 1702, a classification unit 1704 and a plurality of managing layers or devices to be managed (group).
A system which enforces a policy in a communication network is formed of a service managing layer 1801, a network managing layer 1802 and an element managing layer 1803. The plurality of the managing layers or the devices to be managed (group) include conversion units 1705 to 1707, storage units 1708 to 1710, determination units 1711 to 1713 and devices to be managed 1714 to 1719, respectively.
Here, the service managing layer 1801 manages, with respect to an application (software) executed on the devices 1714 and 1715 to be managed, what kind of application is installed and executed on which device or the like. The network managing layer 1802 conducts management related to a network of the devices 1716 and 1717 including a router, a switch, etc. to be managed. The element managing layer 1803 conducts management related to the devices 1718 and 1719 including a PC, an HDD, a printer, etc. to be managed.
Thus structured conventional policy enforcing system operates in the following manner.
More specifically, the classification unit 1704 classifies individual policies accumulated in the policy data base 1700 into layers in which the policies are enforced or into devices to be managed (group). The conversion units 1705 to 1707 of the respective managing layers or the devices to be managed (group) convert description of conditions and instructions of the classified policies into a format (command) inherent to the device to be managed (group). At this time, user's identifier and authorization in the user information data base 1701 and static structure information of the system (version information of each device or software etc.) in the management information data base 1702 are referred to and used for the conversion. The storage units 1708 to 1710 accumulate the converted policies. The determination unit 1711 to 1713 determines from description of the conditions of a policy whether the policy can be enforced and when determining that it is enforceable, operates the device 1714-1719 based on the description of an instruction of the policy to enforce the policy for the device.
The above-described conventional system which enforces a policy for management entities forming a virtual private organization has the following problems.
First problem is that efficient operation is impossible when the number of devices included in each managing layer for service management, network management and element management or in devices to be managed (group) is increased. In other words, in the management of a large-scale virtual private organization having a large number of devices, efficient operation is difficult. The reason is that the more the number of devices is increased, the larger the load on processing in a determination unit becomes to be a bottleneck, resulting in requiring more time in determination and enforcement of a policy.
Second problem is difficulty in coping with change of the number of devices to be managed or a device structure and addition of a new kind of device or operation. The reason is that because the policies are classified into three layers in advance and then managed, when a new kind of device or operation is added to change a policy, updates of a storage unit will be frequently made.
Third problem is that it is impossible to enforce a high-level policy for a plurality of devices bridging over the respective managing layers or devices to be managed (group). The reason is that because the system employs a method of classifying the policies into fixed managing layers or devices to be managed (group), the system is incapable of coping with a policy which requires communication or information exchange between determination units of the respective managing layers or the devices to be managed (group).